CN106921671A - The detection method and device of a kind of network attack - Google Patents

The detection method and device of a kind of network attack Download PDF

Info

Publication number
CN106921671A
CN106921671A CN201710174889.9A CN201710174889A CN106921671A CN 106921671 A CN106921671 A CN 106921671A CN 201710174889 A CN201710174889 A CN 201710174889A CN 106921671 A CN106921671 A CN 106921671A
Authority
CN
China
Prior art keywords
information
address information
sensitive information
default
clear text
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201710174889.9A
Other languages
Chinese (zh)
Other versions
CN106921671B (en
Inventor
林裕金
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou DPTech Technologies Co Ltd
Original Assignee
Hangzhou DPTech Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou DPTech Technologies Co Ltd filed Critical Hangzhou DPTech Technologies Co Ltd
Priority to CN201710174889.9A priority Critical patent/CN106921671B/en
Publication of CN106921671A publication Critical patent/CN106921671A/en
Application granted granted Critical
Publication of CN106921671B publication Critical patent/CN106921671B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0236Filtering by address, protocol, port number or service, e.g. IP-address or URL
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies
    • H04L63/0245Filtering by information in the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1475Passive attacks, e.g. eavesdropping or listening without modification of the traffic monitored

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Computer And Data Communications (AREA)

Abstract

The present invention provides the detection method and device of a kind of network attack, and method includes:When clear text is received, parsing clear text obtains address information and sensitive information;Determine to whether there is in preset address information list and be used to record each preset address information of default equipment in all default equipment with address information identical preset address information, preset address information list;When it is determined that not existing with address information identical preset address information in preset address information list, it is determined that whether there is in default sensitive information list presetting sensitive information with sensitive information identical, presetting sensitive information list is used to record at least one default sensitive information;When it is determined that there is sensitive information default with sensitive information identical in default sensitive information list, determine that clear text has attack.Using the embodiment of the present invention, when solving server network attack being detected, the low problem of accuracy rate.

Description

The detection method and device of a kind of network attack
Technical field
The present invention relates to network communication technology field, more particularly to a kind of network attack detection method and device.
Background technology
Generally, hacker is monitored the information interactive process between client and server by the leak in network, The sensitive informations such as user name, login password, identifying code, payment cipher are stolen, hacker passes through the sensitive information for stealing to service Device is launched a offensive.
In the prior art, because server cannot judge whether sensitive information is stolen, therefore server cannot be detected The attack so that when server is detected to network attack, accuracy rate is low.
The content of the invention
In view of this, the present invention provides the detection method and device of a kind of network attack, and network is attacked with settlement server Hit when being detected, the low problem of accuracy rate.
To achieve the above object, present invention offer technical scheme is as follows:
According to the first aspect of the invention, it is proposed that a kind of detection method of network attack, methods described includes:
When clear text is received, parse the clear text and obtain address information and sensitive information;
Determine to whether there is in preset address information list with the address information identical preset address information, it is described pre- If address information list is used to record each preset address information of default equipment in all default equipment;
When it is determined that not existing with the address information identical preset address information in the preset address information list, It is determined that whether there is in default sensitive information list presetting sensitive information, the default sensitive letter with the sensitive information identical Breath list is used to record at least one default sensitive information;
When it is determined that there is sensitive information default with the sensitive information identical in default sensitive information list, institute is determined Stating clear text has attack.
According to the second aspect of the invention, it is proposed that a kind of detection means of network attack, including:
First parsing module, address information is obtained for when clear text is received, parsing the clear text And sensitive information;
First determining module, for determining to whether there is and solution in first parsing module in preset address information list The address information identical preset address information that analysis is obtained, the preset address information list is used to record whole setting The each preset address information of default equipment in standby;
Second determining module, for not existing in the preset address information list is determined in first determining module During with the address information identical preset address information, it is determined that whether there is in default sensitive information list and the sensitive letter The default sensitive information of breath identical, the default sensitive information list is used to record at least one default sensitive information;
3rd determining module, for exist in default sensitive information list is determined in second determining module with it is described When sensitive information identical presets sensitive information, determine that the clear text has attack.
From above technical scheme, when server receives clear text, server parsing clear text is obtained To address information and sensitive information, do not exist in server determines preset address information list default with address information identical During address information, and when there is sensitive information default with sensitive information identical in the default sensitive information list of server determination, Server may determine that the sensitive information is stolen, and server determines that clear text has attack, and server is to network When attack is detected, the accuracy rate of detection is greatly improved.
Brief description of the drawings
Fig. 1 is the network architecture diagram that is applicable of detection method of the network attack that the present invention is provided;
Fig. 2 is the embodiment flow chart for the detection method of network attack that the present invention is provided;
Fig. 3 is the embodiment flow chart of the detection method of another network attack that the present invention is provided;
Fig. 4 is a kind of hardware structure diagram of server that the present invention is provided;
Fig. 5 is the embodiment block diagram of the detection means for network attack that the present invention is provided;
Fig. 6 is the embodiment block diagram of the detection means of another network attack that the present invention is provided.
Specific embodiment
Here exemplary embodiment will be illustrated in detail, its example is illustrated in the accompanying drawings.Following description is related to During accompanying drawing, unless otherwise indicated, the same numbers in different accompanying drawings represent same or analogous key element.Following exemplary embodiment Described in implementation method do not represent and the consistent all implementation methods of the present invention.Conversely, they be only with it is such as appended The example of the consistent apparatus and method of some aspects being described in detail in claims, of the invention.
It is the purpose only merely for description specific embodiment in terminology used in the present invention, and is not intended to be limiting the present invention. " one kind ", " described " and " being somebody's turn to do " of singulative used in the present invention and appended claims is also intended to include majority Form, unless context clearly shows that other implications.It is also understood that term "and/or" used herein refers to and wraps May be combined containing one or more associated any or all of project listed.
It will be appreciated that though various information, but this may be described using term first, second, third, etc. in the present invention A little information should not necessarily be limited by these terms.These terms are only used for being distinguished from each other open same type of information.For example, not departing from In the case of the scope of the invention, the first information can also be referred to as the second information, and similarly, the second information can also be referred to as One information.Depending on linguistic context, word as used in this " if " can be construed to " ... when " or " when ... When " or " in response to determining ".
Fig. 1 is the network architecture diagram that is applicable of detection method of the network attack that the present invention is provided, as shown in figure 1, the net Network Organization Chart includes:Honey pot system 11, management equipment 12, server 13, default equipment 14, default equipment 15, access equipment 16.Wherein, management equipment 12, server 13, default equipment 14, default equipment 15 can constitute a honey pot system 11, honey jar The associated description of system can be found in prior art.It will be appreciated by persons skilled in the art that the number of default equipment is herein 2 Individual to be merely illustrative, the number of default equipment does not form limitation of the present invention.Default equipment 14, default equipment 15 are The known network device that administrative staff are set, default equipment 14, the address information of default equipment 15 have been recorded in preset address In information list, address information can be IP address, MAC Address, device numbering etc..In one embodiment, equipment 14 is preset to use In the login behavior of simulation real user, preset equipment 14 and the clear text for carrying sensitive information is sent to server 13, it is quick Sense information can include:The privacy informations such as user name, login password, identifying code, payment cipher, hacker passes through preset monitored equipment Interaction between 14 and server 13, steals the sensitive information.When the sensitive information that hacker passes through to steal attacks service During device 13, because server 13 is by sensitive information record in default sensitive information list, therefore, when server 13 is sentenced When in disconnected preset address information list in the absence of the address information of access equipment 16, and access equipment 16 is sent to server 13 When the sensitive information is carried in clear text, show that access equipment 16 has stolen the sensitive information, server 13 determines to visit Ask that the clear text that equipment 16 sends has attack, access equipment 16 is defined as target device by server 13.Ability It is understood that default equipment 15 is same with the function phase of default equipment 14, therefore not to repeat here for field technique personnel.By this hair Bright embodiment, when the accessed equipment 16 of default interaction between equipment 14 and server 13 is monitored, and access equipment 16 is stolen When getting sensitive information, server 13 can determine access equipment by preset address information list and default sensitive information list Whether 16 sensitive informations for carrying are the sensitive information being stolen, therefore server to network attack when detecting, Ke Yiti The accuracy rate of high detection.
Fig. 2 is the embodiment flow chart for the detection method of network attack that the present invention is provided, and example is carried out with reference to Fig. 1 Property explanation, as shown in Fig. 2 comprising the following steps:
Step 201:When clear text is received, parsing clear text obtains address information and sensitive information.
Step 202:Determine to whether there is in preset address information list with address information identical preset address information, in advance If address information list is used to record each preset address information of default equipment in all default equipment, when it is determined that default ground Do not exist in the information list of location during with address information identical preset address information, perform step 203- steps 204, when it is determined that pre- If existing in address information list during with address information identical preset address information, step 205 is performed.
Step 203:It is determined that whether there is in default sensitive information list that sensitive information is preset with sensitive information identical, in advance If sensitive information list is used to record at least one default sensitive information.
Step 204:When it is determined that there is sensitive information default with sensitive information identical in default sensitive information list, really Determining clear text has attack.
Step 205:By sensitive information record in default sensitive information list.
In step 201, in one embodiment, address information can include:IP address, MAC Address, device numbering etc.. Sensitive information can include:The privacy informations such as user name, login password, identifying code, payment cipher.For example, server 13 is parsed The clear text that access equipment 16 sends, obtains address information 192.168.1.1, sensitive information:User name CDE, login are close Code 345678.
In step 202., in one embodiment, server 13 determines to whether there is and address in preset address information list Information identical preset address information, preset address information list is used to record the corresponding preset address letter of all default equipment Breath, with reference to Fig. 1, have recorded the preset address information of default equipment 14 and default equipment 15 in preset address information list, work as clothes Business device 13 determines do not exist during with address information identical preset address information in preset address information list, performs step 203- Step 204, when server 13 determines to exist with address information identical preset address information in preset address information list, holds Row step 205.Wherein, server 13 determines to whether there is and address information identical preset address in preset address information list The step of information includes, each preset address information that server 13 will be recorded in address information and preset address information list Matched, when the one of preset address information matches success recorded in address information and preset address information list, Server 13 determine preset address information list in exist with address information identical preset address information, when address information with it is pre- If each the preset address information recorded in address information list is not when the match is successful, server 13 determines preset address letter Do not exist and address information identical preset address information in breath list.With address information as 192.168.1.1, equipment 14 is preset And the preset address information of default equipment 15 is respectively as a example by 121.14.88.76,121.14.88.77, server 13 is by address Information 192.168.1.1 and the preset address information 121.14.88.76 of record, preset address letter in preset address information list Breath 121.14.88.77 is matched respectively, and the match is successful, and server 13 determines not deposited in preset address information list With address information 192.168.1.1 identical preset address information, perform step 203- steps 204;In another embodiment, With address information as 121.14.88.76, the preset address information of default equipment 14 and default equipment 15 is respectively 121.14.88.76, as a example by 121.14.88.77, server 13 arranges address information 121.14.88.76 and preset address information Preset address information 121.14.88.76, the preset address information 121.14.88.77 recorded in table are matched respectively, address The match is successful with preset address information 121.14.88.76 for information 121.14.88.76, and server 13 determines preset address information row Exist in table during with address information 121.14.88.76 identical preset address information 121.14.88.76, perform step 205.
In step 203, in one embodiment, server 13 determines to whether there is and sensitivity in default sensitive information list Information identical presets sensitive information, and presetting sensitive information list is used to record at least one default sensitive information.Server 13 It is determined that whether there is the step of presetting sensitive information with sensitive information identical in default sensitive information list including:Server 13 By sensitive information with default sensitive information list record each default sensitive information matched, when sensitive information with it is pre- If one of them the default sensitive information recorded in sensitive information list is when the match is successful, server 13 determines default sensitive information Exist in list and preset sensitive information with sensitive information identical;It is every when what is recorded in sensitive information with default sensitive information list When the match is successful, server 13 determines do not exist and sensitive information in default sensitive information list to one default sensitive information Identical presets sensitive information.As shown in table 1, it is the topology example of default sensitive information list:
Table 1
The corresponding user name ABC of sequence number 1, login password 123456, identifying code 0218, payment cipher shown in table 1 are sky;Sequence Number 2 corresponding user name BCD, login password 234567, identifying code are empty, payment cipher 67329;The corresponding user name CDE of sequence number 3, Login password 345678, identifying code is sky for empty, payment cipher;The corresponding user name of sequence number 4, login password, identifying code, payment Password is sky.So that sensitive information includes user name CDE, login password 345678 as an example, user name CDE, login password 345678 user name CDEs corresponding with sequence number 3, the match is successful for login password 345678, and server 13 determines default sensitive information Exist in list and preset sensitive information with sensitive information identical.
In step 204, in one embodiment, exist in server 13 determines default sensitive information list and believe with sensitivity When breath identical presets sensitive information, server 13 determines that clear text has attack.
It will be appreciated by persons skilled in the art that following step 205 is inessential execution step.
In step 205, in one embodiment, when it is determined that existing and address information identical in preset address information list During preset address information, server 13 records in default sensitive information list sensitive information, and user is included with sensitive information As a example by name DEF, login password 456789, be separately recorded in shown in table 1 for user name DEF, login password 456789 by server 13 The corresponding user name of sequence number 4, login password in.It should be noted that the default sensitivity recorded in default sensitive information list Information can be obtained by step 205, it is also possible to which the default sensitive information of whole that will have been configured by management equipment 12 is recorded in advance In default sensitive information list, default sensitive information list unification is issued to server 13, default equipment by management equipment 12 14th, equipment 15 is preset.Herein to the generating process of default sensitive information list, the recording process of default sensitive information is not limited It is fixed.
In the embodiment of the present invention, when server receives clear text, server parsing clear text obtains ground Location information and sensitive information, do not exist and address information identical preset address in server determines preset address information list During information, and when there is sensitive information default with sensitive information identical in the default sensitive information list of server determination, service Device may determine that the sensitive information is stolen, and server determines that clear text has attack, and server is to network attack When being detected, the accuracy rate of detection is greatly improved.
Fig. 3 is the embodiment flow chart of the detection method of another network attack that the present invention is provided, the embodiment of the present invention It is illustrative on the basis of step 201- steps 204 with reference to Fig. 1, Fig. 2, Fig. 3, as shown in figure 3, including following step Suddenly:
Step 301:Parsing clear text obtains five-tuple information.
Step 302:The quantity of the clear text with identical five-tuple information received in statistics preset duration, when When quantity is more than or equal to predetermined number, step 303- steps 304 are performed, when quantity is less than predetermined number, perform step 305。
Step 303:Determine that clear text has attack, pending packet labeling is attacked and is identified.
Step 304:The corresponding log information of clear text is sent to management equipment and attack mark.
Step 305:It is determined that when not existing sensitive information default with sensitive information identical in default sensitive information list, really Clear text is determined without attack, and the corresponding log information of clear text is sent to management equipment.
In step 301, it will be appreciated by persons skilled in the art that can also be in default equipment 14 or default equipment By installing software on 15, there is provided the service of some default false functions, for example, accordingly install soft by default equipment 14 Part so that default equipment 14 can provide web page access service.When 16 access preset equipment 14 of access equipment, equipment 14 is preset The clear text that access equipment 16 sends is forwarded on server 13, the parsing clear text of server 13 obtains five-tuple Information, five-tuple information includes:Source IP address information, purpose IP address information, source port information, destination interface information and transmission Protocol information.
In step 302, it is that 100, five-tuple information includes with preset duration as 1 second, predetermined number:Source IP address " 192.168.1.1 ", purpose IP address " 121.14.88.76 ", source port " 10000 ", destination interface " 80 ", Transmission Control Protocol number As a example by " 6 ", server 13 count 1 second in receive with source IP address " 192.168.1.1 ", purpose IP address " 121.14.88.76 ", source port " 10000 ", destination interface " 80 ", the quantity of the clear text of Transmission Control Protocol number " 6 " works as number When amount is more than or equal to predetermined number 100, step 303- steps 304 are performed, when quantity is less than predetermined number, perform step 305.With.
In step 303, server 13 determines that clear text has attack, pending packet labeling is attacked and is marked Know, for example, server 13 attacks mark 1 to pending packet labeling.
In step 304, server 13 sends the corresponding log information of clear text and attacks mark to management equipment 12 Know, log information can be including attack time, attack frequency, number of times of attack, sensitive information, five-tuple information etc..Management equipment 12 are shown by visual interactive software to log information and attack mark, are easy to administrative staff to find to attack row in time For, and carry out protective treatment for attack.
In step 305, server 13 determines to be preset in the absence of with sensitive information identical in default sensitive information list During sensitive information, server 13 determines that clear text does not have attack, and server 13 sends to management equipment 12 and waits to locate The corresponding log information of reason message, so that management equipment 12 is shown by visual interactive software to log information, just Log information is analyzed in administrative staff.
In the embodiment of the present invention, the parsing clear text of server 13 obtains five-tuple information, and the statistics of server 13 is default The quantity of the clear text with identical five-tuple information received in duration, when quantity is more than or equal to predetermined number When, server 13 determines that clear text has attack, and server 13 in preset duration by receiving with identical The quantity of the clear text of five-tuple information determines whether clear text has attack, to being taken in Fig. 2 methods describeds It is perfect that business device 13 determines that there is clear text the method for attack to have carried out, and further increases the detection network of server 13 The accuracy rate of attack, while by management equipment 12 sending log information and attacking mark, so that management equipment 12 is by can Interactive software depending on changing is shown to log information, is easy to administrative staff to find attack in time, and to daily record Information carries out data analysis.
Corresponding to the detection method of above-mentioned network attack, the invention allows for the hardware configuration of the server shown in Fig. 4 Figure.Fig. 4 is refer to, in hardware view, the server includes processor, internal bus, network interface, internal memory and non-volatile Memory, the hardware required for other business are also possible that certainly.Processor reads corresponding from nonvolatile memory Computer program forms the detection means of network attack to then operation in internal memory on logic level.Certainly, except software reality Outside existing mode, the present invention is not precluded from other implementations, such as mode of logical device or software and hardware combining etc., That is the executive agent of following handling process is not limited to each logic unit, or hardware or logical device.
Fig. 5 is the embodiment block diagram of the detection means for network attack that the present invention is provided, as shown in figure 5, the network The detection means of attack can include:First parsing module 51, the first determining module 52, the second determining module the 53, the 3rd determine Module 54, wherein:
First parsing module 51, address letter is obtained for when clear text is received, parsing the clear text Breath and sensitive information;
First determining module 52, for determining to whether there is and first parsing module 51 in preset address information list Middle to parse the address information identical preset address information for obtaining, the preset address information list is used to record all pre- If each preset address information of default equipment in equipment;
Second determining module 53, in the preset address information list is determined in first determining module 52 not During in the presence of with the address information identical preset address information, it is determined that with the presence or absence of quick with described in default sensitive information list Sense information identical presets sensitive information, and the default sensitive information list is used to record at least one default sensitive information;
3rd determining module 54, for exist in default sensitive information list is determined in second determining module 53 with When the sensitive information identical presets sensitive information, determine that the clear text has attack.
Fig. 6 is the embodiment block diagram of the detection means of another network attack that the present invention is provided, as shown in fig. 6, upper State on the basis of embodiment illustrated in fig. 5, the detection means of network attack also includes:
Second parsing module 55, five-tuple information is obtained for parsing the clear text;
Quantity statistics module 56, for count received in preset duration with identical second parsing module 55 The five-tuple information clear text quantity;
4th determining module 57, for being more than or waiting when counting the quantity that obtains in the quantity statistics module 56 When predetermined number, determine that the clear text has attack.
In one embodiment, the detection means of network attack also includes:
Mark mark module 58 is attacked, for being held when in the 3rd determining module 54 or the 4th determining module 57 During the step of row determination clear text has attack, mark is attacked to clear text mark;
First sending module 59, for sending the corresponding log information of the clear text to management equipment and described attacking Hit the attack mark of the mark mark of mark module 58.
In one embodiment, the detection means of network attack also includes:
Second sending module 60, for when counting the quantity that obtains in the quantity statistics module 56 less than described pre- If in the absence of identical with the sensitive information in determining default sensitive information list during quantity, and in second determining module 53 Default sensitive information when, determine the clear text without attack, to the management equipment send described in wait to locate The corresponding log information of reason message.
In one embodiment, the detection means of network attack also includes:
Sensitive information logging modle 61, for when determining the preset address information list in first determining module 52 It is middle to exist during with the address information identical preset address information, by sensitive information record in the default sensitive information In list.
The function of unit and the implementation process of effect correspond to step in specifically referring to the above method in said apparatus Implementation process, will not be repeated here.
For device embodiment, because it corresponds essentially to embodiment of the method, so related part is referring to method reality Apply the part explanation of example.Device embodiment described above is only schematical, wherein described as separating component The unit of explanation can be or may not be physically separate, and the part shown as unit can be or can also It is not physical location, you can with positioned at a place, or can also be distributed on multiple NEs.Can be according to reality Selection some or all of module therein is needed to realize the purpose of the present invention program.Those of ordinary skill in the art are not paying In the case of going out creative work, you can to understand and implement.
As seen from the above-described embodiment, when server receives clear text, server parsing clear text is obtained Address information and sensitive information, do not exist and the default ground of address information identical in server determines preset address information list During the information of location, and when there is sensitive information default with sensitive information identical in the default sensitive information list of server determination, clothes Business device may determine that the sensitive information is stolen, and server determines that clear text has attack, and server is attacked to network Hit when being detected, greatly improve the accuracy rate of detection.
Those skilled in the art considering specification and after putting into practice invention disclosed herein, will readily occur to it is of the invention its Its embodiment.It is contemplated that cover any modification of the invention, purposes or adaptations, these modifications, purposes or Person's adaptations follow general principle of the invention and including undocumented common knowledge in the art of the invention Or conventional techniques.Description and embodiments are considered only as exemplary, and true scope and spirit of the invention are by following Claim is pointed out.
Also, it should be noted that term " including ", "comprising" or its any other variant be intended to nonexcludability Comprising so that process, method, commodity or equipment including a series of key elements not only include those key elements, but also wrapping Include other key elements being not expressly set out, or also include for this process, method, commodity or equipment is intrinsic wants Element.In the absence of more restrictions, the key element limited by sentence "including a ...", it is not excluded that wanted including described Also there is other identical element in process, method, commodity or the equipment of element.
Presently preferred embodiments of the present invention is the foregoing is only, is not intended to limit the invention, it is all in essence of the invention Within god and principle, any modification, equivalent substitution and improvements done etc. should be included within the scope of protection of the invention.

Claims (10)

1. a kind of detection method of network attack, it is characterised in that methods described includes:
When clear text is received, parse the clear text and obtain address information and sensitive information;
Determine to whether there is in preset address information list with the address information identical preset address information, it is described defaultly Location information list is used to record each preset address information of default equipment in all default equipment;
When it is determined that not existing with the address information identical preset address information in the preset address information list, it is determined that Whether there is in default sensitive information list and preset sensitive information, the default sensitive information row with the sensitive information identical Table is used to record at least one default sensitive information;
When it is determined that there is sensitive information default with the sensitive information identical in default sensitive information list, it is determined that described treat Treatment message has attack.
2. method according to claim 1, it is characterised in that methods described also includes:
Parse the clear text and obtain five-tuple information;
The quantity of the clear text with the identical five-tuple information received in statistics preset duration;
When the quantity is more than or equal to predetermined number, determine that the clear text has attack.
3. according to any described methods of claim 1-2, it is characterised in that methods described also includes:
Mark is attacked to clear text mark;
The corresponding log information of clear text is sent to management equipment and the attack is identified.
4. method according to claim 2, it is characterised in that methods described also includes:
When the quantity is less than the predetermined number, and determine do not exist and the sensitive information in default sensitive information list When identical presets sensitive information, determine that the clear text, without attack, sends described to the management equipment The corresponding log information of clear text.
5. method according to claim 1, it is characterised in that methods described also includes:
When it is determined that existing with the address information identical preset address information in the preset address information list, will be described Sensitive information is recorded in the default sensitive information list.
6. a kind of detection means of network attack, it is characterised in that described device includes:
First parsing module, for when clear text is received, parses the clear text and obtains address information and quick Sense information;
First determining module, parses for determining to whether there is in preset address information list with first parsing module The address information identical preset address information for arriving, the preset address information list is used to record in all default equipment The each preset address information of default equipment;
Second determining module, for not existing and institute in the preset address information list is determined in first determining module When stating address information identical preset address information, it is determined that whether there is and the sensitive information phase in default sensitive information list Same default sensitive information, the default sensitive information list is used to record at least one default sensitive information;
3rd determining module, for existing and the sensitivity in default sensitive information list is determined in second determining module When information identical presets sensitive information, determine that the clear text has attack.
7. device according to claim 6, it is characterised in that described device also includes:
Second parsing module, five-tuple information is obtained for parsing the clear text;
Quantity statistics module, for count received in preset duration with described five in identical second parsing module The quantity of the clear text of tuple information;
4th determining module, for being more than or equal to present count when counting the quantity that obtains in the quantity statistics module During amount, determine that the clear text has attack.
8. according to any described devices of claim 6-7, it is characterised in that described device also includes:
Mark mark module is attacked, for when performing the determination in the 3rd determining module or the 4th determining module During the step of clear text has attack, mark is attacked to clear text mark;
First sending module, for sending the corresponding log information of clear text and attack mark to management equipment The attack mark of mark module mark.
9. device according to claim 7, it is characterised in that described device also includes:
Second sending module, for being less than the predetermined number when counting the quantity that obtains in the quantity statistics module When, and it is quick in the absence of being preset with the sensitive information identical in the default sensitive information list of determination in second determining module During sense information, determine that the clear text, without attack, the clear text pair is sent to the management equipment The log information answered.
10. device according to claim 6, it is characterised in that described device also includes:
Sensitive information logging modle, in the preset address information list is determined in first determining module exist with During the address information identical preset address information, by sensitive information record in the default sensitive information list.
CN201710174889.9A 2017-03-22 2017-03-22 network attack detection method and device Active CN106921671B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710174889.9A CN106921671B (en) 2017-03-22 2017-03-22 network attack detection method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710174889.9A CN106921671B (en) 2017-03-22 2017-03-22 network attack detection method and device

Publications (2)

Publication Number Publication Date
CN106921671A true CN106921671A (en) 2017-07-04
CN106921671B CN106921671B (en) 2019-12-06

Family

ID=59462116

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710174889.9A Active CN106921671B (en) 2017-03-22 2017-03-22 network attack detection method and device

Country Status (1)

Country Link
CN (1) CN106921671B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632258A (en) * 2018-04-16 2018-10-09 新华三信息安全技术有限公司 A kind of access message processing method and device
CN111049780A (en) * 2018-10-12 2020-04-21 北京奇虎科技有限公司 Network attack detection method, device, equipment and storage medium
CN114531258A (en) * 2020-11-05 2022-05-24 腾讯科技(深圳)有限公司 Network attack behavior processing method and device, storage medium and electronic equipment
CN114785582A (en) * 2022-04-14 2022-07-22 合肥卓讯云网科技有限公司 System and method for detecting network abnormal flow based on FPGA
CN117375792A (en) * 2023-02-24 2024-01-09 华为技术有限公司 Method and device for detecting side channel

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011079426A1 (en) * 2009-12-28 2011-07-07 西安西电捷通无线网络通信股份有限公司 Method for preventing first message of security protocol from being forged
CN103746992A (en) * 2014-01-06 2014-04-23 武汉虹旭信息技术有限责任公司 Reverse-based intrusion detection system and reverse-based intrusion detection method
CN104468554A (en) * 2014-11-28 2015-03-25 北京奇虎科技有限公司 Attack detection method and device based on IP and HOST
CN104753730A (en) * 2013-12-30 2015-07-01 腾讯科技(深圳)有限公司 Vulnerability detection method and device
CN105939326A (en) * 2016-01-18 2016-09-14 杭州迪普科技有限公司 Message processing method and device

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2011079426A1 (en) * 2009-12-28 2011-07-07 西安西电捷通无线网络通信股份有限公司 Method for preventing first message of security protocol from being forged
CN104753730A (en) * 2013-12-30 2015-07-01 腾讯科技(深圳)有限公司 Vulnerability detection method and device
CN103746992A (en) * 2014-01-06 2014-04-23 武汉虹旭信息技术有限责任公司 Reverse-based intrusion detection system and reverse-based intrusion detection method
CN104468554A (en) * 2014-11-28 2015-03-25 北京奇虎科技有限公司 Attack detection method and device based on IP and HOST
CN105939326A (en) * 2016-01-18 2016-09-14 杭州迪普科技有限公司 Message processing method and device

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632258A (en) * 2018-04-16 2018-10-09 新华三信息安全技术有限公司 A kind of access message processing method and device
CN108632258B (en) * 2018-04-16 2020-12-18 新华三信息安全技术有限公司 Access message processing method and device
CN111049780A (en) * 2018-10-12 2020-04-21 北京奇虎科技有限公司 Network attack detection method, device, equipment and storage medium
CN111049780B (en) * 2018-10-12 2022-12-02 北京奇虎科技有限公司 Network attack detection method, device, equipment and storage medium
CN114531258A (en) * 2020-11-05 2022-05-24 腾讯科技(深圳)有限公司 Network attack behavior processing method and device, storage medium and electronic equipment
CN114785582A (en) * 2022-04-14 2022-07-22 合肥卓讯云网科技有限公司 System and method for detecting network abnormal flow based on FPGA
CN117375792A (en) * 2023-02-24 2024-01-09 华为技术有限公司 Method and device for detecting side channel

Also Published As

Publication number Publication date
CN106921671B (en) 2019-12-06

Similar Documents

Publication Publication Date Title
CN106921671A (en) The detection method and device of a kind of network attack
US10574684B2 (en) Locally detecting phishing weakness
CN108881211B (en) Illegal external connection detection method and device
US20140101724A1 (en) Network attack detection and prevention based on emulation of server response and virtual server cloning
US8782796B2 (en) Data exfiltration attack simulation technology
US7703138B2 (en) Use of application signature to identify trusted traffic
CN104704472B (en) Prevent system, the method and apparatus of side-channel attack
US6363489B1 (en) Method for automatic intrusion detection and deflection in a network
US7260844B1 (en) Threat detection in a network security system
US10757135B2 (en) Bot characteristic detection method and apparatus
US20100077483A1 (en) Methods, systems, and media for baiting inside attackers
US8196204B2 (en) Active computer system defense technology
CN108259425A (en) The determining method, apparatus and server of query-attack
KR101236822B1 (en) Method for detecting arp spoofing attack by using arp locking function and recordable medium which program for executing method is recorded
WO2008063343A2 (en) Methods and apparatus for detecting unwanted traffic in one or more packet networks utilizing string analysis
CN105656765B (en) A kind of anti-method and system that leak of smtp protocol data based on depth content parsing
CN105897694B (en) A kind of client session recognition methods and system
JP2001057554A (en) Cracker monitor system
CN107948199A (en) A kind of method and device being used for quickly detecting to terminal shared access
US20120158975A1 (en) Method and Apparatus for Detecting Network Protocols
CN106506531A (en) The defence method and device of ARP attack messages
KR101623570B1 (en) Method for detecting harmful dns and spoofing site, and security system thereof
TWI671655B (en) System and method for program security protection
CN107241297A (en) Communicate hold-up interception method and device, server
Lescisin et al. Tools for Active and Passive Network {Side-Channel} Detection for Web Applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant